<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html 
     PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
  <title>Module: ActionController::RequestForgeryProtection</title>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
  <meta http-equiv="Content-Script-Type" content="text/javascript" />
  <link rel="stylesheet" href="../.././rdoc-style.css" type="text/css" media="screen" />
  <script type="text/javascript">
  // <![CDATA[

  function popupCode( url ) {
    window.open(url, "Code", "resizable=yes,scrollbars=yes,toolbar=no,status=no,height=150,width=400")
  }

  function toggleCode( id ) {
    if ( document.getElementById )
      elem = document.getElementById( id );
    else if ( document.all )
      elem = eval( "document.all." + id );
    else
      return false;

    elemStyle = elem.style;
    
    if ( elemStyle.display != "block" ) {
      elemStyle.display = "block"
    } else {
      elemStyle.display = "none"
    }

    return true;
  }
  
  // Make codeblocks hidden by default
  document.writeln( "<style type=\"text/css\">div.method-source-code { display: none }</style>" )
  
  // ]]>
  </script>

</head>
<body>



    <div id="classHeader">
        <table class="header-table">
        <tr class="top-aligned-row">
          <td><strong>Module</strong></td>
          <td class="class-name-in-header">ActionController::RequestForgeryProtection</td>
        </tr>
        <tr class="top-aligned-row">
            <td><strong>In:</strong></td>
            <td>
                <a href="../../files/vendor/rails/actionpack/lib/action_controller/request_forgery_protection_rb.html">
                vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb
                </a>
        <br />
            </td>
        </tr>

        </table>
    </div>
  <!-- banner header -->

  <div id="bodyContent">



  <div id="contextContent">



   </div>

    <div id="method-list">
      <h3 class="section-bar">Methods</h3>

      <div class="name-list">
      <a href="#M000298">authenticity_token_from_cookie_session</a>&nbsp;&nbsp;
      <a href="#M000297">authenticity_token_from_session_id</a>&nbsp;&nbsp;
      <a href="#M000296">form_authenticity_token</a>&nbsp;&nbsp;
      <a href="#M000292">included</a>&nbsp;&nbsp;
      <a href="#M000299">protect_against_forgery?</a>&nbsp;&nbsp;
      <a href="#M000295">verifiable_request_format?</a>&nbsp;&nbsp;
      <a href="#M000294">verified_request?</a>&nbsp;&nbsp;
      <a href="#M000293">verify_authenticity_token</a>&nbsp;&nbsp;
      </div>
    </div>

  </div>


    <!-- if includes -->

    <div id="section">

    <div id="class-list">
      <h3 class="section-bar">Classes and Modules</h3>

      Module <a href="RequestForgeryProtection/ClassMethods.html" class="link">ActionController::RequestForgeryProtection::ClassMethods</a><br />

    </div>




      


    <!-- if method_list -->
    <div id="methods">
      <h3 class="section-bar">Public Class methods</h3>

      <div id="method-M000292" class="method-detail">
        <a name="M000292"></a>

        <div class="method-heading">
          <a href="#M000292" class="method-signature">
          <span class="method-name">included</span><span class="method-args">(base)</span>
          </a>
        </div>
      
        <div class="method-description">
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000292-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000292-source">
<pre>
    <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 6</span>
 6:     <span class="ruby-keyword kw">def</span> <span class="ruby-keyword kw">self</span>.<span class="ruby-identifier">included</span>(<span class="ruby-identifier">base</span>)
 7:       <span class="ruby-identifier">base</span>.<span class="ruby-identifier">class_eval</span> <span class="ruby-keyword kw">do</span>
 8:         <span class="ruby-identifier">class_inheritable_accessor</span> <span class="ruby-identifier">:request_forgery_protection_options</span>
 9:         <span class="ruby-keyword kw">self</span>.<span class="ruby-identifier">request_forgery_protection_options</span> = {}
10:         <span class="ruby-identifier">helper_method</span> <span class="ruby-identifier">:form_authenticity_token</span>
11:         <span class="ruby-identifier">helper_method</span> <span class="ruby-identifier">:protect_against_forgery?</span>
12:       <span class="ruby-keyword kw">end</span>
13:       <span class="ruby-identifier">base</span>.<span class="ruby-identifier">extend</span>(<span class="ruby-constant">ClassMethods</span>)
14:     <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>

      <h3 class="section-bar">Protected Instance methods</h3>

      <div id="method-M000298" class="method-detail">
        <a name="M000298"></a>

        <div class="method-heading">
          <a href="#M000298" class="method-signature">
          <span class="method-name">authenticity_token_from_cookie_session</span><span class="method-args">()</span>
          </a>
        </div>
      
        <div class="method-description">
          <p>
No secret was given, so assume this is a cookie session store.
</p>
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000298-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000298-source">
<pre>
     <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 123</span>
123:       <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">authenticity_token_from_cookie_session</span>
124:         <span class="ruby-identifier">session</span>[<span class="ruby-identifier">:csrf_id</span>] <span class="ruby-operator">||=</span> <span class="ruby-constant">CGI</span><span class="ruby-operator">::</span><span class="ruby-constant">Session</span>.<span class="ruby-identifier">generate_unique_id</span>
125:         <span class="ruby-identifier">session</span>.<span class="ruby-identifier">dbman</span>.<span class="ruby-identifier">generate_digest</span>(<span class="ruby-identifier">session</span>[<span class="ruby-identifier">:csrf_id</span>])
126:       <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>

      <div id="method-M000297" class="method-detail">
        <a name="M000297"></a>

        <div class="method-heading">
          <a href="#M000297" class="method-signature">
          <span class="method-name">authenticity_token_from_session_id</span><span class="method-args">()</span>
          </a>
        </div>
      
        <div class="method-description">
          <p>
Generates a unique digest using the session_id and the CSRF secret.
</p>
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000297-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000297-source">
<pre>
     <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 112</span>
112:       <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">authenticity_token_from_session_id</span>
113:         <span class="ruby-identifier">key</span> = <span class="ruby-keyword kw">if</span> <span class="ruby-identifier">request_forgery_protection_options</span>[<span class="ruby-identifier">:secret</span>].<span class="ruby-identifier">respond_to?</span>(<span class="ruby-identifier">:call</span>)
114:           <span class="ruby-identifier">request_forgery_protection_options</span>[<span class="ruby-identifier">:secret</span>].<span class="ruby-identifier">call</span>(<span class="ruby-ivar">@session</span>)
115:         <span class="ruby-keyword kw">else</span>
116:           <span class="ruby-identifier">request_forgery_protection_options</span>[<span class="ruby-identifier">:secret</span>]
117:         <span class="ruby-keyword kw">end</span>
118:         <span class="ruby-identifier">digest</span> = <span class="ruby-identifier">request_forgery_protection_options</span>[<span class="ruby-identifier">:digest</span>] <span class="ruby-operator">||=</span> <span class="ruby-value str">'SHA1'</span>
119:         <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">hexdigest</span>(<span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">digest</span>), <span class="ruby-identifier">key</span>.<span class="ruby-identifier">to_s</span>, <span class="ruby-identifier">session</span>.<span class="ruby-identifier">session_id</span>.<span class="ruby-identifier">to_s</span>)
120:       <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>

      <div id="method-M000296" class="method-detail">
        <a name="M000296"></a>

        <div class="method-heading">
          <a href="#M000296" class="method-signature">
          <span class="method-name">form_authenticity_token</span><span class="method-args">()</span>
          </a>
        </div>
      
        <div class="method-description">
          <p>
Sets the token value for the current session. Pass a :secret option in
protect_from_forgery to add a custom salt to the hash.
</p>
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000296-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000296-source">
<pre>
     <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 99</span>
 99:       <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">form_authenticity_token</span>
100:         <span class="ruby-ivar">@form_authenticity_token</span> <span class="ruby-operator">||=</span> <span class="ruby-keyword kw">if</span> <span class="ruby-identifier">request_forgery_protection_options</span>[<span class="ruby-identifier">:secret</span>]
101:           <span class="ruby-identifier">authenticity_token_from_session_id</span>
102:         <span class="ruby-keyword kw">elsif</span> <span class="ruby-identifier">session</span>.<span class="ruby-identifier">respond_to?</span>(<span class="ruby-identifier">:dbman</span>) <span class="ruby-operator">&amp;&amp;</span> <span class="ruby-identifier">session</span>.<span class="ruby-identifier">dbman</span>.<span class="ruby-identifier">respond_to?</span>(<span class="ruby-identifier">:generate_digest</span>)
103:           <span class="ruby-identifier">authenticity_token_from_cookie_session</span>
104:         <span class="ruby-keyword kw">elsif</span> <span class="ruby-identifier">session</span>.<span class="ruby-identifier">nil?</span>
105:           <span class="ruby-identifier">raise</span> <span class="ruby-constant">InvalidAuthenticityToken</span>, <span class="ruby-value str">&quot;Request Forgery Protection requires a valid session.  Use #allow_forgery_protection to disable it, or use a valid session.&quot;</span>
106:         <span class="ruby-keyword kw">else</span>
107:           <span class="ruby-identifier">raise</span> <span class="ruby-constant">InvalidAuthenticityToken</span>, <span class="ruby-value str">&quot;No :secret given to the #protect_from_forgery call.  Set that or use a session store capable of generating its own keys (Cookie Session Store).&quot;</span>
108:         <span class="ruby-keyword kw">end</span>
109:       <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>

      <div id="method-M000299" class="method-detail">
        <a name="M000299"></a>

        <div class="method-heading">
          <a href="#M000299" class="method-signature">
          <span class="method-name">protect_against_forgery?</span><span class="method-args">()</span>
          </a>
        </div>
      
        <div class="method-description">
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000299-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000299-source">
<pre>
     <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 128</span>
128:       <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">protect_against_forgery?</span>
129:         <span class="ruby-identifier">allow_forgery_protection</span> <span class="ruby-operator">&amp;&amp;</span> <span class="ruby-identifier">request_forgery_protection_token</span>
130:       <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>

      <div id="method-M000295" class="method-detail">
        <a name="M000295"></a>

        <div class="method-heading">
          <a href="#M000295" class="method-signature">
          <span class="method-name">verifiable_request_format?</span><span class="method-args">()</span>
          </a>
        </div>
      
        <div class="method-description">
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000295-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000295-source">
<pre>
    <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 94</span>
94:       <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">verifiable_request_format?</span>
95:         <span class="ruby-identifier">request</span>.<span class="ruby-identifier">format</span>.<span class="ruby-identifier">html?</span> <span class="ruby-operator">||</span> <span class="ruby-identifier">request</span>.<span class="ruby-identifier">format</span>.<span class="ruby-identifier">js?</span>
96:       <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>

      <div id="method-M000294" class="method-detail">
        <a name="M000294"></a>

        <div class="method-heading">
          <a href="#M000294" class="method-signature">
          <span class="method-name">verified_request?</span><span class="method-args">()</span>
          </a>
        </div>
      
        <div class="method-description">
          <p>
Returns true or false if a request is verified. Checks:
</p>
<ul>
<li>is the format restricted? By default, only HTML and AJAX requests are
checked.

</li>
<li>is it a GET request? Gets should be safe and idempotent

</li>
<li>Does the <a
href="RequestForgeryProtection.html#M000296">form_authenticity_token</a>
match the given _token value from the params?

</li>
</ul>
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000294-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000294-source">
<pre>
    <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 87</span>
87:       <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">verified_request?</span>
88:         <span class="ruby-operator">!</span><span class="ruby-identifier">protect_against_forgery?</span>     <span class="ruby-operator">||</span>
89:           <span class="ruby-identifier">request</span>.<span class="ruby-identifier">method</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">:get</span>      <span class="ruby-operator">||</span>
90:           <span class="ruby-operator">!</span><span class="ruby-identifier">verifiable_request_format?</span> <span class="ruby-operator">||</span>
91:           <span class="ruby-identifier">form_authenticity_token</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">params</span>[<span class="ruby-identifier">request_forgery_protection_token</span>]
92:       <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>

      <div id="method-M000293" class="method-detail">
        <a name="M000293"></a>

        <div class="method-heading">
          <a href="#M000293" class="method-signature">
          <span class="method-name">verify_authenticity_token</span><span class="method-args">()</span>
          </a>
        </div>
      
        <div class="method-description">
          <p>
The actual before_filter that is used. Modify this to change how you handle
unverified requests.
</p>
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000293-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000293-source">
<pre>
    <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 78</span>
78:       <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">verify_authenticity_token</span>
79:         <span class="ruby-identifier">verified_request?</span> <span class="ruby-operator">||</span> <span class="ruby-identifier">raise</span>(<span class="ruby-constant">ActionController</span><span class="ruby-operator">::</span><span class="ruby-constant">InvalidAuthenticityToken</span>)
80:       <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>


    </div>


  </div>


<div id="validator-badges">
  <p><small><a href="http://validator.w3.org/check/referer">[Validate]</a></small></p>
</div>

</body>
</html>